I am having the same issue as outlined in this question: How to not log a get request parameter in the nginx access logs?
However, since nginx is configured through AWS, I am not sure how to modify this when I deploy. It is not clear to me where these configurations go. AWS support is not able to help, as it is an issue with nginx rather than AWS.
Any information to point me in the right direction would be appreciated.
So far all I have is that I can modify ./ebextensions/nginx.config
in my repository that I deploy to EB, but what needs to be set within that is not clear.
=================================
OK, so some fun updates. Basically, AWS EB environments are set up with default nginx.configs for their instances. Within those configs, it includes all *.config files at a certain path, including one auto generated file which contains the server directive. It injects all of these into the http directive of the nginx.config.
You do have the option of completely overriding the nginx config. But, being someone who is damn near clueless on what all is going on in there and the potential dangers of doing so, I figured that it'd be best to not modify default behavior as much as possible. Therefore, I've resolved to find a way to modify this auto generated .config file and restart nginx.
So far what I've got is this for my ./ebextensions/01_proxy.config
:
files:
"/etc/nginx/conf.d/injectObfuscation.sh":
content: |
# This script expects a file as input with an nginx server directive to be injected into the http directive of an nginx.config file.
# It will make two modifications:
# - It will create a log_format to be used when filtering the password parameter
# - It will find the server directive and inject a location directive for the sensitive endpoint
# - This directive will replace the sensitive parameter with *s and use the filter log_format instead of the main log_format
# TODO: Figure out how to do the above ^^
container_commands:
01_update_server_directive:
command: "./etc/nginx/conf.d/injectObfuscation.sh /etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf"
02_reload_nginx:
command: "sudo service nginx reload"
The files:
line declares that I'm creating some files to add to the EC2 instance. Here, my goal is to create a bash script to accomplish my task. My tasks, as outlined in the comments, are to first add a line with the log_format. Then, find the line with server{
, and below it I need to inject the locations /my/sensitive/endpoint
directive in its entirety.
Any help on writing this bash script, which I'm completely unfamiliar with, would be awesomely appreciated.